You have to setup three SPN-s, Full FQDN against the port (be sure to use static), FQDN against the instancename and a third one against the Netbios name.
SETSPN -s MSSQLSvc/SERVERNAME.DOMIANNAME.COM:port DOMAIN\SQLSERVICEACCOUNT
SETSPN -s MSSQLSvc/SERVERNAME.DOMIANNAME.COM:Instancename DOMAIN\SQLSERVICEACCOUNT
SETSPN -s MSSQLSvc/SERVERNAME DOMAIN\SQLSERVICEACCOUNT
For the analysis service those two are needed
SETSPN -s MSOLAPSvc.3/SERVERNAME.DOMIANNAME.COM:Instancename DOMAIN\SQLSERVICEACCOUNT
SETSPN -s MSOLAPSvc.3/SERVERNAME:Instancename DOMAIN\SQLSERVICEACCOUNT
In some situation also the browser needs to be fixed.
SETSPN -s MSOLAPDisco.3/SERVERNAME.DOMIANNAME.COM SERVERNAME
SETSPN -s MSOLAPDisco.3/SERVERNAME SERVERNAME
Beyond of the Kerberos SPN setting you also need to set the serviceaccount trusted for delegation in active directory. Client will use Kerberos anyway but in some situation
where you have more then two machines involved in the authentication chain this is necessary.
No comments:
Post a Comment